General
-
Target
XClient.exe
-
Size
37KB
-
Sample
240524-jtgm5sae99
-
MD5
d837db914680e0e91ee392cf2b3f3d2b
-
SHA1
30f2fc5f58250895f74969d1a7c932f68efcd9af
-
SHA256
2835c974cc09bb061c2737418d331ca8a338936f7d986ce848396c78b35845be
-
SHA512
aff4c2cafa23813d5c16ccd8baa8247697cc444c3642140610113f7e4854c083fad514ef3a6441b1fb3075e819af8599d1c5f5b3725c89521045f55598ebcd7b
-
SSDEEP
768:xz5lT+Q2PeKmxzHAXFyK9Oi26YOjhDPygM:xz512PGLuF39726YOj9u
Malware Config
Extracted
xworm
5.0
weeks-deployment.gl.at.ply.gg:56058
bGBs6Wpo1XzkMyuH
-
Install_directory
%Temp%
-
install_file
System32.exe
Targets
-
-
Target
XClient.exe
-
Size
37KB
-
MD5
d837db914680e0e91ee392cf2b3f3d2b
-
SHA1
30f2fc5f58250895f74969d1a7c932f68efcd9af
-
SHA256
2835c974cc09bb061c2737418d331ca8a338936f7d986ce848396c78b35845be
-
SHA512
aff4c2cafa23813d5c16ccd8baa8247697cc444c3642140610113f7e4854c083fad514ef3a6441b1fb3075e819af8599d1c5f5b3725c89521045f55598ebcd7b
-
SSDEEP
768:xz5lT+Q2PeKmxzHAXFyK9Oi26YOjhDPygM:xz512PGLuF39726YOj9u
Score10/10-
Detect Neshta payload
-
Detect Xworm Payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-